FCC rules in USA

[Jeroen3]

Ask the dealer to turn off RKE. It's a firmware option.
The immobilizer (start inhibitor?) is often an infrared signal.

x-y problem once again.

[b_force]

I seriously still don't get the whole discussion.
It is all about how you're gonna use it. You have to see it in perspective.
As far as I understand the topic starter, it's more for accasional experiments.

No, read what he wrote:

Hi guys, I'm planning on building a consumer device that jams 315MHz frequencies in the USA, and I was hoping to get your advice on the legality of it.

(emphasis added)

The FCC has published an FAQ about jammers: https://transition.fcc.gov/eb/jammerenforcement/jamfaq.pdf
I'm no lawyer, but it seems obvious to me that they're saying that a device that deliberately interferes with communications is illegal, period.

If you make one for personal use, you probably won't get caught. If you try to market such a device, you likely will get caught. If you try to get FCC certification for the device, well, good luck.

Yes, I can read.

A consumer product could also be read as a product that could be used by someone else than me (and me as in a designer who makes the product for someone, even if it's test gear). I already agreed before (as you can read) that if you're talking about something is going into production, it will be an issue.

[b_force]

10 seconds of googling "FCC intentional interference" would have revealed:  https://www.fcc.gov/general/jammer-enforcement

Jamming Prohibition

The use of "cell jammers" or similar devices designed to intentionally block, jam, or interfere with authorized radio communications (signal blockers, GPS jammers, or text stoppers, etc.) is a violation of federal law. Also, it is unlawful to advertise, sell, distribute, or otherwise market these devices to consumers in the United States. These devices pose serious risks to critical public safety communications, and can prevent you and others from making 9-1-1 and other emergency calls. Jammers can also interfere with law enforcement communications. Operation of a jammer in the United States may subject you to substantial monetary penalties, seizure of the unlawful equipment, and criminal sanctions including imprisonment.

In short, don't do it.  Full stop.

That's not what I am reading
In short it's only a problem when you do bring people "in danger" (bit far fetched but ok), and interfere with certain communications.
So it is very clearly only about interfering with public and governmental communication and safety.
So when you make the coverage area (very) small, out of the public and maybe shielded  (internal), it's not really a problem, like a said before.

OK.  Submit an application to the FCC for such a device and post the response.  I already know what the answer will be.

It's all about some words being used. But like said before 'harmful' is a key word.
It very clearly reads that it has to be in a certain frequency spectrum/bandwith PLUS it needs to be harmful?

That by definition means that if I can prove that even if I have a jammer but it isn't harmful, by using it in a faraday cage for example, which is part of the product, I haven't done anything that's illegal.
In fact, from a noise (or radio sent/recive) point of view the product is non excisting. It transmits as much as a piece of wood and therefore I don't even need to aply for FCC.
The difficulty is that you will need good measurements and documentation (best done by a notified body)

So the question is not if a product is harmful, but HOW harmful it is. Like said before a Class-D amplifier (or a SMPS) is also harmful and can be seen as a jammer (even if that's not its the main purpose).
So in other words, everything is pretty much a jammer. But some more than others.

[CJay]

Not. At. All.

Besides, if the product is inside an effective Faraday cage then the product is pointless.

[janoc]

There are far more effective methods of attacking than the "two-thief" and amplifier-based attacks. I won't discuss them since I don't want them to spread, but you can probably work them out pretty easily on your own.

Possibly, especially if the car manufacturer was clueless and didn't use multiple challenge/response transactions or one time codes, facilitating various possible replay attacks. You don't need to worry about "them spreading", the attacks are published - they have been at Defcon and BlackHat recently, I believe. Anyhow, the info is widely available for anyone who knows how to use Google.

Any reason you don't wrap the key in tin foil?

Well, you could do that and it *might* work (it's actually much less effective than you'd think), but it's still very inconvenient because you can't turn the protection off/on easily. In other words it ruins the convenience of the RKE system.

What you don't realize is that that jammer you are proposing would have to be very indiscriminate - the moment it detects something on one of the assigned frequencies (these systems usually use frequency hopping, not a single fixed frequency), it would have to start jamming right away - all the while possibly interfering with someone else's key fob, garage door openers, alarm remote, etc.

And if it wanted to minimize this and waited until it could positively identify the signal as coming from the key, it would likely be too late - the thief could have recorded the signal already and your subsequent jamming would be useless.

In this context the tin foil would actually be a lot more effective than what you are proposing.

Anyhow, you don't have to have this option active on your car or just don't buy a car with it. A good theft insurance on a new car would go a long way towards mitigating any of these issues. Also, not sure how it is in the US, but in Central/Eastern Europe where car theft is a common problem, it has been a common wisdom for  a long time to not rely only on the manufacturer's lock and immobilizer, because the thieves are familiar with them and most have publicly known more or less trivial bypasses. Actually some insurance companies used to turn you down unless you have bought an aftermarket alarm.

X-Y problem, indeed.

[CJay]

Possibly, especially if the car manufacturer was clueless and didn't use multiple challenge/response transactions or one time codes, facilitating various possible replay attacks. You don't need to worry about "them spreading", the attacks are published - they have been at Defcon and BlackHat recently, I believe. Anyhow, the info is widely available for anyone who knows how to use Google.

Replay attacks work against one time codes.

[janoc]

Possibly, especially if the car manufacturer was clueless and didn't use multiple challenge/response transactions or one time codes, facilitating various possible replay attacks. You don't need to worry about "them spreading", the attacks are published - they have been at Defcon and BlackHat recently, I believe. Anyhow, the info is widely available for anyone who knows how to use Google.

Replay attacks work against one time codes.

Replay attack cannot work against one time code by definition.

What works is that you de-synchronize the key and the lock - by forcing the key to generate multiple codes that are not used right away (e.g. because the lock is out of range or the attacker actively jams the receiver). The attacker can then use one of these codes to open the lock and get a new "clean" code from the key (that the lock doesn't "see" and thus cannot invalidate) for the use next time. This is known as the RollJam attack, mainly used against classic keyfobs with rolling code (that's why the name).

On the other hand, there are apparently recent (2006) cars on the market that don't even use a rolling code (!), so a replay attack is pretty trivial:
http://calebmadrigal.com/hackrf-replay-attack-jeep/

However, there are possible counter-measures against such attacks - that's why I have always said that the success very much depends on how much clueless (or not) the manufacturer implementing this was. Anyway, I think this debate is off-topic, the information about how this works is available if you want to study it:

Relay attacks (and possible countermeasures on keyless entry and start systems - from 2010!):
https://eprint.iacr.org/2010/332.pdf

Good overview of the possible attacks and their mitigation, including the recent attack on the crypto used by the VW cars (and many of their brands):
http://www.cs.tufts.edu/comp/116/archive/fall2015/arichardson.pdf

[CJay]

Replay attack cannot work against one time code by definition.

OK, I've obviously misunderstood somewhere and I'm genuinely curious as to what I've misunderstood, why can't you jam a receiver and snag the code from the key for a one time code?

Unless there's two way communication (challenge response) or the code is time sensitive it should work shouldn't it?

(admittedly it'd be *very* fiddly)

[b_force]

Not. At. All.

Besides, if the product is inside an effective Faraday cage then the product is pointless.

Pointless?
Depends what you wanna do with it and how big the cage is.
I have seen cages as big as a small house.
These kind of jammers were used (and needed) for testing and troubleshooting certain products.

[CJay]

Not. At. All.

Besides, if the product is inside an effective Faraday cage then the product is pointless.

Pointless?
Depends what you wanna do with it and how big the cage is.
I have seen cages as big as a small house.
These kind of jammers were used (and needed) for testing and troubleshooting certain products.

You're going to look rather odd driving a Faraday cage around.

[Neilm]

I've just checked the manual for a Toyota with that entry system. The system can be turned off at the key and in the car so it will only work on the button as per any other remote unlock system

[janoc]

Replay attack cannot work against one time code by definition.

OK, I've obviously misunderstood somewhere and I'm genuinely curious as to what I've misunderstood, why can't you jam a receiver and snag the code from the key for a one time code?

Unless there's two way communication (challenge response) or the code is time sensitive it should work shouldn't it?

(admittedly it'd be *very* fiddly)

That's the RollJam attack I have mentioned. That is, strictly speaking, not a true replay attack, because no code is ever used multiple times to open the lock. The idea of a replay attack is that you capture some signal while it is being used and then use it again to reproduce the desired behavior without the original key. That obviously doesn't work if a true one time code (e.g. a rolling code) is in use, because the receiver will detect the code as having been used before and rejects it.

That is a bit simplified, because there is the whole transmitter/receiver synchronization issue - the receiver must handle even a situation when some codes in the sequence are skipped (e.g. because the transmitter has been activated while out of range or jammed) and there must be a way to ensure that the two can resynchronize again should the key get wildly out of sync (someone kept pressing the button on the fob, the battery died, new key, etc.).  Some cars synchronize the keys every time when they are inserted in the ignition, with others you have to go through some special manual procedure should the key get out of sync for whatever reason.

That Jeep hack I have linked to is a replay attack - it works only because that car doesn't use even something so basic as a rolling code.

You're going to look rather odd driving a Faraday cage around.

You do realize that a Faraday cage can be simply something like this: http://www.idstronghold.com/, right?
Or even the proverbial Altoids tin or that aluminium foil. There is no need for it to be a literal cage.

[Jeroen3]

I think Mercedes can also disable the RF part and only work on IR. (IR receiver next to door handle)
If anyone want to steal your code they have to be nearby enough that it would cause suspicion.

[CJay]

You do realize that a Faraday cage can be simply something like this: http://www.idstronghold.com/, right?
Or even the proverbial Altoids tin or that aluminium foil. There is no need for it to be a literal cage.

I do indeed, but the post I replied to suggested encasing the entire car and key inside a Faraday cage, that'd be rather a lot of aluminium foil and would look a little odd.

I genuinely don't understand why a one time code could be rejected by the car if, as far as the car is concerned, it's never been presented to the car unless there's a challenge-response handshake mechanism in play or the codes are somehow dependant on key and receiver being time synchronised (like the RSA ID tokens for instance)?

I'm perfectly happy to accept that my logic is flawed and would welcome an explanation other than 'it's a one time code'.

[b_force]

I don't know how people read posts, but I never ever suggested that at all.
I was just talking about FCC in general. It's to the creativity of the developer to find out what works in his case.

[CJay]

I don't know how people read posts, but I never ever suggested that at all.
I was just talking about FCC in general. It's to the creativity of the developer to find out what works in his case.

Mea culpa, my bad, I didn't get my point across.

The 'pointless product' comment was intended to convey that having the key in a Faraday cage would stop it communicating with anything so it rendered the jammer pointless.

To effectively stop the key being 'sniffed' but allowing the key to still open the car would need the car and key to be inside such a cage, hence it'd look rather odd to be driving a Faraday cage around.

After this, I give up. 

[janoc]

I genuinely don't understand why a one time code could be rejected by the car if, as far as the car is concerned, it's never been presented to the car unless there's a challenge-response handshake mechanism in play or the codes are somehow dependant on key and receiver being time synchronised (like the RSA ID tokens for instance)?

I'm perfectly happy to accept that my logic is flawed and would welcome an explanation other than 'it's a one time code'.

Your logic isn't flawed, but you have missed my point. What you are describing happens during the RollJam attack. My point was that it is not a true replay attack because no key is being reused, not that it doesn't work. So it is not a good argument if you want to claim that one time codes are breakable using replay attacks - as there is no replay attack here.

[CJay]

Ah, gotcha.

For the life of me I could not see (other than technical issues with jamming/receiving keys) how it would fail on a theoretical level.

I don't seem to be covering myself in glory in this thread as I misused 'replay' in terms of the documented attacks and used it to mean the hacker would replay a recorded but unused key, not a previously used and accepted key.